Rapleaf is selling your identity

Rapleaf shows consumers who enroll on its site only a small subset of the information it has amassed on them.By David Goldman, staff writerFirst Published: October 21, 2010: 1:13 PM ET

NEW YORK (CNNMoney.com) -- Rapleaf knows your name, your age and where you live. It knows your e-mail address, your income and what social networks you use. It knows your likes and dislikes. And it makes money by selling much of that personal information to advertisers.

Of course, Rapleaf is far from the only company that does this. Acxiom, ChoicePoint, Quantcast, and BluKai also collect and sell your data, as do many others. Google (GOOG, Fortune 500), Facebook and other Web companies also gather data about you in an attempt to target very personal ads.

But Rapleaf was thrust into the spotlight this week after the Wall Street Journalreported that the San Francisco-based company obtained Facebook IDs from many of the social network's apps and sold those IDs to advertisers -- even from users who requested that data be kept private.

By merging a user's Facebook ID with other data about them, Rapleaf gave advertisers a detailed window into many Web users' personal information. In a recent blog post on the issue, Rapleaf called it "a serious potential privacy risk."

In passing on the information, the apps violated Facebook's terms of service agreement -- inadvertently, the developers say. And Rapleaf has been forced into the uncomfortable position of explaining how it maintains the privacy of the 400 million Web users it tracks while also selling their profiles to advertisers.

The company claims that it did not intend to transmit quite as much detail as it did.

"We do not sell Facebook IDs to ad networks," said Michael Hsu, spokesman for Rapleaf. "They were being sent because of technical issues with browsers today in which the referrer URLs were including them inadvertently."

What Rapleaf really knows

But a number of privacy experts said they believe Rapleaf is being disingenuous. They noted that the company links users' names and e-mail addresses to many social networking profiles -- including Flickr, Friendster, LinkedIn, Twitter, Pandora, Wordpress, MySpace, Bebo, Tribe, Livejournal, Yelp and Amazon -- and sells that information to third-parties.

"If Rapleaf hadn't gotten caught, they would have kept on doing it," Murray Jennex, professor of knowledge management at San Diego State University, said of the company's Facebook data harvest. "Social networks' terms of service are a loose barrier. They're a gray area that companies like Rapleaf try to get around, and they're not all that powerful a deterrent."

Rapleaf downplays to consumers how much it's tracking about them.

The company's site invites visitors to sign up for a Rapleaf account and "manage your info," but logging in won't show you the detailed profile Rapleaf has compiled: It displays only basic demographic information and broad interest categories. Rapleaf will tell you that it knows you like "social networks," but it won't reveal that it knows your Facebook, Pandora and Plaxo handles -- plus your Klout score, how often you tweet and what's on your Amazon wishlist.

(Updated: Late Thursday, after this article published, Rapleaf made changes to its site to display more of the personal data it has collected to those who enroll and log to check their own profile.)

Rapleaf declined to comment. A spokesman said company executives were too busy to field further questions.

This isn't the first time Rapleaf has been accused of privacy violations. In 2007, CNET reported that the company operated two other subsidiaries that secretly shared information with one another to create extremely detailed profiles about users -- including their social network affiliations. Rapleaf quickly responded by merging all of its businesses under one brand.

Connecting the dots to your secrets

Rapleaf's Facebook ID misstep highlights a much larger issue: Even if one data aggregator doesn't share personally identifying information, customers of many data collectors can very easily link up different sources of information to discover things you thought couldn't be traced back to you.

"People don't really appreciate how much can be known about you online," Jennex said. "It's not just a single company doing this, it's everybody."

Using only a name, an e-mail address and information provided by data aggregators including Rapleaf, one privacy researcher -- who asked not to be identified because of his business dealings with several companies in the field -- ran a test combining all of the data from multiple sources. In 86% of his trials, the resulting profile linked the subject's name to his or her full, nine-digit social security number.

The security concerns are far-reaching.

"Here's the truth of the matter when it comes to data mining today: The data they collect will be used in ways they never imagined or intended," said Michael Fertik, CEO of privacy software maker ReputationDefender. "You can mash up huge data sets that were never meant to be mashed together, that are very specific."

Building databases about customers is hardly a new business, nor is it illegal or illegitimate. Telemarketers, political candidates and advertisers have been gathering information about people for years. Online, it's what Web users exchange in return for free services and content.

But the information is becoming far more precise. It's one thing for a marketer to know you're 40 years old and subscribe to travel magazines; it's another for them to know you're leaving Saturday for a week in Italy.

"What's different is that the information now is likely going to be accurate and specific, because it's coming from social networks like Facebook where you represent yourself as you really are," said Debra Williamson, senior analyst at eMarketer.

And as the data ooze spreads, so do the implications. If you talk on Facebook about your late credit-card payment -- or your cancer treatments -- there's a growing risk you'll be overheard.

"The consequences aren't only about advertising, because, in the scheme of things, who cares about that?" Fertik said. "What I'm worried about is health information and your life getting stolen from you. That moment of reckoning is coming."

Fast-food chains that operate in more than 30 locations nationwide are the sole target of a new rule in New York to hike their minimum wage to $15. But consumers and small business owners, as well as some employees, may be the ones to pay the price. More